Pixnapping nyiag 2FA thiab cov ntaub ntawv ntawm Android yam tsis tau tso cai

Pixnapping tuaj yeem nyiag 2FA cov lej thiab lwm cov ntaub ntawv ntawm lub vijtsam hauv tsawg dua 30 vib nas this yam tsis tau tso cai.
Nws ua haujlwm los ntawm kev ua phem rau Android APIs thiab GPU sab channel kom infer pixels los ntawm lwm cov apps.
Kev sim ntawm Pixel 6-9 thiab Galaxy S25; qhov pib thaj (CVE-2025-48561) tsis tag nrho thaiv nws.
Nws raug nquahu kom siv FIDO2/WebAuthn, txo qis cov ntaub ntawv rhiab ntawm lub vijtsam, thiab zam cov apps los ntawm qhov tsis zoo.

Pixnapping Attack ntawm Android

Ib pab neeg tshawb fawb tau nthuav tawm Pixnapping, ib Cov txheej txheem tawm tsam tawm tsam Android xov tooj muaj peev xwm ntes tau dab tsi tshwm sim ntawm qhov screen thiab rho tawm cov ntaub ntawv ntiag tug xws li 2FA cov lej, cov lus lossis qhov chaw nyob hauv vib nas this thiab tsis tau thov kev tso cai.

Qhov tseem ceeb yog kev tsim txom qee qhov system APIs thiab a GPU sab channel txiav txim siab cov ntsiab lus ntawm cov pixels koj pom; cov txheej txheem tsis pom thiab siv tau ntev npaum li cov ntaub ntawv tseem pom, thaum Cov lus zais tsis pom ntawm qhov screen tsis tuaj yeem raug nyiag. Google tau qhia txog kev txo qis cuam tshuam nrog CVE-2025-48561, tab sis cov kws sau ntawv ntawm qhov kev tshawb pom tau pom txoj hauv kev evasion, thiab kev txhawb nqa ntxiv yuav tsum muaj nyob rau lub Kaum Ob Hlis Android kev ruaj ntseg ntawv tshaj tawm.

Pixnapping yog dab tsi thiab vim li cas nws muaj kev txhawj xeeb?

Lub npe ua ke "pixel" thiab "kidnapping" vim hais tias kev tawm tsam ua rau a “pixel hijacking” rov tsim cov ntaub ntawv uas tshwm sim hauv lwm cov apps. Nws yog ib qho kev hloov pauv ntawm cov txheej txheem sab-channel siv xyoo dhau los hauv browsers, tam sim no hloov mus rau niaj hnub Android ecosystem nrog smoother, ntsiag to tua.

Cov ntsiab lus tshwj xeeb - Nyem qhov no Puas muaj kev nyab xeeb rau rub tawm cov ntaub ntawv nrog WinZip?

Vim nws tsis tas yuav muaj ntawv tso cai tshwj xeeb, Pixnapping zam kev tiv thaiv raws li tus qauv tso cai thiab ua haujlwm yuav luag invisibly, uas ua rau muaj kev pheej hmoo rau cov neeg siv thiab cov tuam txhab uas vam khom ib feem ntawm lawv txoj kev ruaj ntseg ntawm qhov tshwm sim sai sai ntawm qhov screen.

Yuav tua li cas

Pixnapping ua haujlwm li cas

Hauv cov ntsiab lus dav dav, lub siab phem app orchestrates a cov dej num sib tshooj thiab synchronizes rendering rau cais thaj chaw tshwj xeeb ntawm lub interface qhov twg cov ntaub ntawv rhiab tshwm sim; ces exploits lub sij hawm sib txawv thaum ua pixels infer lawv tus nqi (saib li cas Fais fab profiles cuam tshuam FPS).

Ua rau lub hom phiaj app tso saib cov ntaub ntawv (piv txwv li, 2FA code lossis cov ntawv rhiab heev).
Nkaum txhua yam tshwj tsis yog thaj tsam ntawm kev txaus siab thiab tswj cov rendering ncej kom ib pixel "dominates."
Txhais cov sijhawm ua haujlwm GPU (piv txwv li GPU.zip yam tshwm sim) thiab reconstructs cov ntsiab lus.

Nrog kev rov ua dua thiab synchronization, cov malware txiav cov cim thiab rov ua kom lawv siv OCR siv tshuabLub sijhawm lub qhov rais txwv qhov kev tawm tsam, tab sis yog tias cov ntaub ntawv tseem pom tau ob peb feeb, rov qab tuaj yeem ua tau.

Scope thiab cuam tshuam cov cuab yeej

Cov kws tshawb fawb tau txheeb xyuas cov txheej txheem hauv Google Pixel 6, 7, 8 thiab 9 thiab nyob rau hauv lub Samsung Galaxy S25, nrog Android versions 13 txog 16. Txij li cov APIs siv tau dav dav, lawv ceeb toom tias "yuav luag tag nrho cov niaj hnub Androids" tuaj yeem raug.

Cov ntsiab lus tshwj xeeb - Nyem qhov no Yuav ua li cas kom tsis txhob muaj cov passwords duplicate hauv 1Password?

Hauv kev sim nrog TOTP cov lej, qhov kev tawm tsam tau rov qab tag nrho cov lej nrog tus nqi kwv yees li 73%, 53%, 29% thiab 53% ntawm Pixel 6, 7, 8 thiab 9, feem, thiab nyob rau hauv nruab nrab lub sij hawm ze rau 14,3 s. ; kuv. 25,8s ;ua. 24,9 thiab 25,3s, tso cai rau koj kom tau txais ua ntej ntawm lub sijhawm tas sij hawm ntawm cov lis dej num ib ntus.

Cov ntaub ntawv twg tuaj yeem poob

Ntxiv rau authentication codes (Google Authenticator), cov kws tshawb fawb tau qhia rov qab cov ntaub ntawv los ntawm cov kev pabcuam xws li Gmail thiab Google cov nyiaj, kev xa xov apps xws li Signal, nyiaj txiag platforms xws li Venmo lossis cov ntaub ntawv qhov chaw los ntawm Google Mapsntawm lwm tus.

Lawv kuj ceeb toom koj txog cov ntaub ntawv uas tseem nyob ntawm qhov screen rau lub sijhawm ntev, xws li cov lus rov qab lub hnab nyiaj los yog ib zaug yuam sij; Txawm li cas los xij, khaws cia tab sis tsis pom cov ntsiab lus (piv txwv li, tus yuam sij zais cia uas tsis tau pom) yog dhau ntawm Pixnapping.

Google Teb thiab Patch Status

Qhov kev tshawb pom tau sib txuas lus ua ntej rau Google, uas tau sau qhov teeb meem no tias muaj kev mob hnyav heev thiab tau tshaj tawm thawj qhov kev txo qis cuam tshuam nrog CVE-2025-48561Txawm li cas los xij, cov kws tshawb fawb pom txoj hauv kev los khiav nws, yog li Ib thaj ntxiv tau cog lus tseg hauv tsab ntawv xov xwm Lub Kaum Ob Hlis thiab kev sib koom tes nrog Google thiab Samsung yog khaws cia.

Qhov xwm txheej tam sim no qhia tias qhov thaiv qhov tseeb yuav xav tau kev tshuaj xyuas seb Android ua li cas rendering thiab overlays nruab nrab ntawm daim ntawv thov, txij li kev tawm tsam exploits precisely cov internal mechanisms.

Cov ntsiab lus tshwj xeeb - Nyem qhov no Lawv kwv yees qhov kev foob tawm tsam Google rau kev taug qab cov ntaub ntawv hauv hom incognito

Pom zoo ntsuas kev txo qis

Pixnapping yog dab tsi?

Rau cov neeg siv kawg, nws raug nquahu kom txo qis qhov cuam tshuam ntawm cov ntaub ntawv rhiab ntawm lub vijtsam thiab xaiv rau phishing-resistant authentication thiab sab raws, xws li FIDO2/WebAuthn nrog cov yuam sij kev nyab xeeb, zam kev tso siab tshwj xeeb rau TOTP cov lej thaum twg ua tau.

Khaws cov cuab yeej mus txog hnub tim thiab siv cov ntawv xov xwm kev ruaj ntseg sai li sai tau thaum lawv muaj.
Tsis txhob nruab apps los ntawm cov ntaub ntawv tsis tau lees paub thiab tshuaj xyuas kev tso cai thiab tus cwj pwm tsis zoo.
Tsis txhob khaws cov lus rov qab los yog cov ntaub ntawv pov thawj pom; nyiam kho vajtse hnab nyiaj tiv thaiv cov yuam sij.
Xauv lub vijtsam sai sai thiab txwv kev saib ua ntej ntawm cov ntsiab lus rhiab.

Rau cov khoom thiab kev txhim kho pab pawg, nws yog lub sijhawm txheeb xyuas cov kev txheeb xyuas qhov tseeb thiab txo qhov chaw raug: txo qis cov ntawv zais ntawm lub vijtsam, qhia txog kev tiv thaiv ntxiv hauv cov kev xav tseem ceeb thiab ntsuas qhov kev hloov mus rau cov txheej txheem tsis pub dawb kho vajtse raws li.

Txawm hais tias qhov kev tawm tsam xav tau cov ntaub ntawv kom pom, nws muaj peev xwm ua haujlwm tsis muaj kev tso cai thiab tsawg dua ib nrab feeb ua rau nws muaj kev hem thawj loj: cov txheej txheem sab-channel uas siv qhov zoo ntawm GPU rendering lub sijhawm nyeem qhov koj pom ntawm lub vijtsam, nrog rau qee qhov kev txo qis hnub no thiab kev txhim kho tob dua.

Tsab xov xwm cuam tshuam:

Galaxy S26 Ultra: Nov yog qhov screen ntiag tug tshiab yuav zoo li

Alberto Navarro

Kuv yog ib tus neeg nyiam siv thev naus laus zis uas tau hloov nws txoj kev nyiam "geek" rau hauv txoj haujlwm. Kuv tau siv ntau tshaj 10 xyoo ntawm kuv lub neej siv cov cuab yeej siv thev naus laus zis thiab tinkering nrog txhua yam kev pab cuam tawm ntawm kev xav paub dawb huv. Tam sim no kuv tau tshwj xeeb hauv computer technology thiab video games. Qhov no yog vim ntau tshaj 5 xyoo kuv tau sau rau ntau lub vev xaib ntawm kev siv tshuab thiab kev ua si video, tsim cov ntawv uas nrhiav kom muab cov ntaub ntawv koj xav tau hauv hom lus uas txhua tus neeg nkag siab.

Yog tias koj muaj lus nug, kuv qhov kev paub yog los ntawm txhua yam ntsig txog Windows operating system nrog rau Android rau cov xov tooj ntawm tes. Thiab kuv txoj kev cog lus yog rau koj, Kuv ib txwm kam siv ob peb feeb thiab pab koj daws cov lus nug uas koj muaj nyob hauv lub ntiaj teb no hauv internet.